X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/b04fe171f0375ecd5d8a24747ca1dff85720a0ca..6b200bc335dc93c5516ccb52f14bd896d8c7fad7:/SecurityTests/clxutils/ocspTool/ocspTool.cpp

diff --git a/SecurityTests/clxutils/ocspTool/ocspTool.cpp b/SecurityTests/clxutils/ocspTool/ocspTool.cpp
deleted file mode 100644
index 153cdaa4..00000000
--- a/SecurityTests/clxutils/ocspTool/ocspTool.cpp
+++ /dev/null
@@ -1,1254 +0,0 @@
-/* 
- * ocspTool - simple OCSP request/response generator and parser
- */
-#include <Security/Security.h>
-#include <Security/SecAsn1Coder.h>
-#include <Security/ocspTemplates.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <sys/types.h>
-#include <security_cdsa_utils/cuFileIo.h>
-#include <security_cdsa_utils/cuCdsaUtils.h>
-#include <security_cdsa_utils/cuOidParser.h>
-#include <security_cdsa_utils/cuPrintCert.h>
-#include <clAppUtils/CertParser.h>
-#include <clAppUtils/timeStr.h>
-#include <clAppUtils/identPicker.h>
-#include <CommonCrypto/CommonDigest.h>
-#include <security_ocspd/ocspExtensions.h>
-#include <security_ocspd/ocspdUtils.h>
-#include <utilLib/common.h>
-#include "ocspUtils.h"
-#include "ocspRequest.h"
-#include "ocspNetwork.h"
-#include "findOcspUrl.h"
-
-static void usage(char **argv) 
-{
-	printf("Usage: %s cmd [option...]\n", argv[0]);
-	printf("cmds:\n");
-	printf("   g generate request\n");
-	printf("   G parse request\n");
-	printf("   r generate reply\n");
-	printf("   R parse reply\n");
-	printf("   p generate OCSP request, post, get reply (use -p and/or -o)\n");
-	printf("Options\n");
-	printf("  -c cert_file         -- for generating request\n");
-	printf("  -C issuer_cert_file  -- for generating request\n");
-	printf("  -i in_file           -- for parsing\n");
-	printf("  -o out_file          -- for generating\n");
-	printf("  -s status            -- cert status: g(ood)|r(evoked)|u(nknown)\n");
-	printf("  -r crlReason         -- integer 0..8\n");
-	printf("  -k keychain          -- keychain containing signing cert\n");
-	printf("  -p                   -- parse reply from post op\n");
-	printf("  -u responderURI      -- OCSP responder here, not from cert's AIA extension\n");
-	printf("  -v                   -- verbose; e.g., print certs\n");
-	exit(1);
-}
-
-void doIndent(int indent)
-{
-	for(int dex=0; dex<indent; dex++) {
-		printf(" ");
-	}
-}
-
-static void printString(
-	const CSSM_DATA *str)
-{
-	unsigned i;
-	char *cp = (char *)str->Data;
-	for(i=0; i<str->Length; i++) {
-		printf("%c", *cp++);
-	}
-	printf("\n");
-}
-
-static void printDataAsHex(
-	const CSSM_DATA *d,
-	unsigned maxToPrint = 0)		// optional, 0 means print it all
-{
-	unsigned i;
-	bool more = false;
-	uint32 len = d->Length;
-	uint8 *cp = d->Data;
-	
-	if((maxToPrint != 0) && (len > maxToPrint)) {
-		len = maxToPrint;
-		more = true;
-	}	
-	for(i=0; i<len; i++) {
-		printf("%02X ", ((unsigned char *)cp)[i]);
-	}
-	if(more) {
-		printf("...\n");
-	}
-	else {
-		printf("\n");
-	}
-}
-
-static void printTaggedItem(
-	const NSS_TaggedItem &ti)
-{
-	switch(ti.tag) {
-		case BER_TAG_PRINTABLE_STRING:
-		case BER_TAG_T61_STRING:
-		case BER_TAG_IA5_STRING:
-		case BER_TAG_UTC_TIME:
-		case BER_TAG_GENERALIZED_TIME:
-			printString(&ti.item);
-			break;
-		default:
-			printDataAsHex(&ti.item, 0);
-	}
-}
-
-static void printName(
-	const NSS_Name &name,
-	int indent)
-{
-	OidParser parser;
-	
-	unsigned numRdns = ocspdArraySize((const void **)name.rdns);
-	for(unsigned rdnDex=0; rdnDex<numRdns; rdnDex++) {
-		NSS_RDN *rdn = name.rdns[rdnDex];
-		unsigned numATVs = ocspdArraySize((const void **)rdn->atvs);
-		for(unsigned atvDex=0; atvDex<numATVs; atvDex++) {
-			NSS_ATV *atv = rdn->atvs[atvDex];
-			char buf[OID_PARSER_STRING_SIZE];
-			parser.oidParse(atv->type.Data, atv->type.Length, buf);
-			doIndent(indent);
-			printf("%s : ", buf);
-			printTaggedItem(atv->value);
-		}
-	}
-}	
-
-static uint8 nullParam[2] = {5, 0};
-
-/*
- * Given the following, create a ResponseData (to be signed by caller).
- *
- *		cert status (CS_{Good,Revoked,Unknown})
- *		cert being verified
- *		issuer cert
- *		this update time
- *		next update time (optional)
- *		nonce (optional)
- */
-static int genTbsResp(
-	SecAsn1CoderRef coder,			// result in this coder's address space
-	CSSM_CL_HANDLE clHand, 
-	SecAsn1OCSPCertStatusTag status,
-	CE_CrlReason reason,			// for CS_Revoked
-	const CSSM_DATA	&subjectCert,
-	const CSSM_DATA &issuerCert,
-	unsigned thisUpdate,			// required, seconds from now
-	unsigned nextUpdate,			// optional, seconds from now, 0 ==> skip
-	const CSSM_DATA *nonce,			// optional
-	CSSM_DATA &encodedTbs)			// allocated in coder space and RETURNED
-{
-	char *nextUpdStr = NULL;
-	CSSM_DATA nextUpdateData;
-	char *thisUpdStr = NULL;
-	CSSM_DATA *thisUpdateData;
-	SecAsn1OCSPResponseData responseData;
-	OCSPNonce *nonceExt = NULL;
-	char *producedAt = NULL;
-	SecAsn1OCSPSingleResponse singleResp;
-	SecAsn1OCSPSingleResponse *respArray[2] = {&singleResp, NULL};
-	SecAsn1OCSPResponderID responderID;
-	NSS_CertExtension *extenArray[2] = {NULL, NULL};
-	
-	/* SingleResponse */
-	memset(&singleResp, 0, sizeof(singleResp));
-	
-	/* SingleResponse.CertID */
-	SecAsn1OCSPCertID &certId = singleResp.certID;
-	CertParser parser(clHand);
-	CertParser issuerParser(clHand);
-	CSSM_RETURN crtn = parser.initWithData(subjectCert);
-	if(crtn) {
-		cssmPerror("CertParser.initWithData for subject cert", crtn);
-		return -1;
-	}
-	crtn = issuerParser.initWithData(issuerCert);
-	if(crtn) {
-		cssmPerror("CertParser.initWithData for issuer", crtn);
-		return -1;
-	}
-
-	/* algId refers to the hash we'll perform in issuer name and key */
-	certId.algId.algorithm = CSSMOID_SHA1;
-	certId.algId.parameters.Data = nullParam;
-	certId.algId.parameters.Length = sizeof(nullParam);
-	
-	/* SHA1(issuerName) */
-	CSSM_DATA issuerName = {0, NULL};
-	issuerName.Data = (uint8 *)parser.fieldForOid(CSSMOID_X509V1IssuerNameStd, 
-		issuerName.Length);
-	if(issuerName.Data == NULL) {
-		printf("***Error fetching issuer name. Aborting.\n");
-		return 1;
-	}
-	uint8 issuerNameHash[CC_SHA1_DIGEST_LENGTH];
-	ocspdSha1(issuerName.Data, issuerName.Length, issuerNameHash);
-	
-	/* SHA1(issuer public key) */
-	CSSM_KEY_PTR pubKey = NULL;
-	CSSM_SIZE pubKeyLen = sizeof(CSSM_KEY);
-	pubKey = (CSSM_KEY_PTR)issuerParser.fieldForOid(CSSMOID_CSSMKeyStruct, pubKeyLen);
-	if(pubKey == NULL) {
-		printf("***Error fetching public key from issuer cert. Aborting.\n");
-		return 1;
-	}
-	uint8 pubKeyHash[CC_SHA1_DIGEST_LENGTH];
-	ocspdSha1(pubKey->KeyData.Data, pubKey->KeyData.Length, pubKeyHash);
-
-	/* serial number */
-	CSSM_DATA serialNum = {0, NULL};
-	serialNum.Data = (uint8 *)parser.fieldForOid(CSSMOID_X509V1SerialNumber, 
-		serialNum.Length);
-	if(serialNum.Data == NULL) {
-		printf("***Error fetching serial number. Aborting.\n");
-		return 1;
-	}
-
-	/* build the CertID from those components */
-	certId.issuerNameHash.Data = issuerNameHash;
-	certId.issuerNameHash.Length = CC_SHA1_DIGEST_LENGTH;
-	certId.issuerPubKeyHash.Data = pubKeyHash;
-	certId.issuerPubKeyHash.Length = CC_SHA1_DIGEST_LENGTH;	
-	certId.serialNumber = serialNum;
-
-	/* SingleResponse.CertStatus - to be encoded on its own */
-	SecAsn1OCSPCertStatus certStatus;
-	memset(&certStatus, 0, sizeof(certStatus));
-	SecAsn1OCSPRevokedInfo revokedInfo;
-	char *revokedAt = NULL;
-	CSSM_DATA reasonData;
-	OSStatus ortn;
-	
-	if(status == CS_Revoked) { 
-		/* cook up SecAsn1OCSPRevokedInfo */
-		certStatus.revokedInfo = &revokedInfo;
-		revokedAt = appTimeAtNowPlus(-3600, TIME_GEN);
-		revokedInfo.revocationTime.Data = (uint8 *)revokedAt; 
-		revokedInfo.revocationTime.Length = strlen(revokedAt);
-		uint8 theReason = reason;
-		reasonData.Data = &theReason;
-		reasonData.Length = 1;
-		revokedInfo.revocationReason = &reasonData;
-		ortn = SecAsn1EncodeItem(coder, &certStatus, 
-			kSecAsn1OCSPCertStatusRevokedTemplate, 
-			&singleResp.certStatus);
-	}
-	else {
-		ortn = SecAsn1EncodeItem(coder, &certStatus, 
-			kSecAsn1OCSPCertStatusGoodTemplate,
-			&singleResp.certStatus);
-	}
-	if(ortn) {
-		printf("***Error encoding certStatus\n"); 
-		goto errOut;
-	}
-	
-	/* SingleResponse.thisUpdate */
-	thisUpdStr = appTimeAtNowPlus(thisUpdate, TIME_GEN);
-	thisUpdateData = &singleResp.thisUpdate;
-	thisUpdateData->Data = (uint8 *)thisUpdStr;
-	thisUpdateData->Length = strlen(thisUpdStr);
-	
-	/* SingleResponse.nextUpdate, optional */
-	if(nextUpdate) {
-		nextUpdStr = appTimeAtNowPlus(nextUpdate, TIME_GEN); 
-		nextUpdateData.Data = (uint8 *)nextUpdStr;
-		nextUpdateData.Length = strlen(nextUpdStr);
-		singleResp.nextUpdate = &nextUpdateData;
-	}
-	
-	/* Single Extensions - none for now */
-	 
-	/* Now up to ResponseData */
-	memset(&responseData, 0, sizeof(responseData));
-	
-	/* skip version */
-	
-	/* 
-	 * ResponseData.responderID: KeyHash (of signer); we already got this for CertID.
-	 * WE have to encode this one separately and drop it in as an ASN_ANY. 
-	 */
-	responderID.byKey = certId.issuerPubKeyHash;
-	ortn = SecAsn1EncodeItem(coder, &responderID, 
-		kSecAsn1OCSPResponderIDAsKeyTemplate,
-		&responseData.responderID);
-	if(ortn) {
-		printf("***Error encoding responderID\n");
-		goto errOut;
-	}
-	
-	/* ResponseData.producedAt = now */
-	producedAt = appTimeAtNowPlus(0, TIME_GEN);
-	responseData.producedAt.Data = (uint8 *)producedAt;
-	responseData.producedAt.Length = strlen(producedAt);
-		
-	/* ResponseData.responses - one of 'em */
-	responseData.responses = respArray;
-	
-	/* ResponseData.responseExtensions - optionally one, nonce */
-	if(nonce) {
-		nonceExt = new OCSPNonce(coder, false, *nonce);
-		extenArray[0] = nonceExt->nssExt();
-		responseData.responseExtensions = extenArray;
-	}
-	else {
-		responseData.responseExtensions = NULL;
-	}
-	
-	/* encode it */
-	encodedTbs.Data = NULL;
-	encodedTbs.Length = 0;
-	ortn = SecAsn1EncodeItem(coder, &responseData, 
-		kSecAsn1OCSPResponseDataTemplate,
-		&encodedTbs);
-	if(ortn) {
-		printf("***Error encoding SecAsn1OCSPResponseData\n");
-	}
-errOut:
-	/* free resources */
-	if(revokedAt) {
-		CSSM_FREE(revokedAt);
-	}
-	if(thisUpdStr) {
-		CSSM_FREE(thisUpdStr);
-	}
-	if(nextUpdStr) {
-		CSSM_FREE(nextUpdStr);
-	}
-	if(nonceExt) {
-		delete nonceExt;
-	}
-	return ortn;
-}
-
-static int genOcspReq(
-	CSSM_CL_HANDLE clHand,
-	const unsigned char *certFile, 
-	unsigned certFileLen, 
-	const unsigned char *issuerCertFile, 
-	unsigned issuerCertFileLen, 
-	unsigned char **outFile,		// RETURNED 
-	unsigned *outFileLen)			// RETURNED
-{
-	CertParser parser(clHand);
-	CertParser issuerParser(clHand);
-	CSSM_DATA certData = {certFileLen, (uint8 *)certFile};
-	CSSM_RETURN crtn;
-	crtn = parser.initWithData(certData);
-	if(crtn) {
-		cssmPerror("CertParser.initWithData for subject cert", crtn);
-		return -1;
-	}
-	certData.Data = (uint8 *)issuerCertFile;
-	certData.Length = issuerCertFileLen;
-	crtn = issuerParser.initWithData(certData);
-	if(crtn) {
-		cssmPerror("CertParser.initWithData for issuer", crtn);
-		return -1;
-	}
-	
-	/* 
-	 * One single request, no extensions
-	 */
-	SecAsn1OCSPRequest singleReq;
-	memset(&singleReq, 0, sizeof(singleReq));
-	SecAsn1OCSPCertID &certId = singleReq.reqCert;
-
-	/* algId refers to the hash we'll perform in issuer name and key */
-	certId.algId.algorithm = CSSMOID_SHA1;
-	certId.algId.parameters.Data = nullParam;
-	certId.algId.parameters.Length = sizeof(nullParam);
-	
-	/* SHA1(issuerName) */
-	CSSM_DATA issuerName = {0, NULL};
-	issuerName.Data = (uint8 *)parser.fieldForOid(CSSMOID_X509V1IssuerNameStd, 
-		issuerName.Length);
-	if(issuerName.Data == NULL) {
-		printf("***Error fetching issuer name. Aborting.\n");
-		return 1;
-	}
-	uint8 issuerNameHash[CC_SHA1_DIGEST_LENGTH];
-	ocspdSha1(issuerName.Data, issuerName.Length, issuerNameHash);
-	
-	/* SHA1(issuer public key) */
-	CSSM_KEY_PTR pubKey = NULL;
-	CSSM_SIZE pubKeyLen = sizeof(CSSM_KEY);
-	pubKey = (CSSM_KEY_PTR)issuerParser.fieldForOid(CSSMOID_CSSMKeyStruct, pubKeyLen);
-	if(pubKey == NULL) {
-		printf("***Error fetching public key from issuer cert. Aborting.\n");
-		return 1;
-	}
-	uint8 pubKeyHash[CC_SHA1_DIGEST_LENGTH];
-	ocspdSha1(pubKey->KeyData.Data, pubKey->KeyData.Length, pubKeyHash);
-
-	/* serial number */
-	CSSM_DATA serialNum = {0, NULL};
-	serialNum.Data = (uint8 *)parser.fieldForOid(CSSMOID_X509V1SerialNumber, 
-		serialNum.Length);
-	if(serialNum.Data == NULL) {
-		printf("***Error fetching serial number. Aborting.\n");
-		return 1;
-	}
-
-	/* build the CertID from those components */
-	certId.issuerNameHash.Data = issuerNameHash;
-	certId.issuerNameHash.Length = CC_SHA1_DIGEST_LENGTH;
-	certId.issuerPubKeyHash.Data = pubKeyHash;
-	certId.issuerPubKeyHash.Length = CC_SHA1_DIGEST_LENGTH;	
-	certId.serialNumber = serialNum;
-
-	/* 
-	 * Build top level request with one entry in requestList, no signature,
-	 * one extension (a nonce)
-	 */
-	SecAsn1OCSPSignedRequest signedReq;
-	SecAsn1OCSPRequest *reqArray[2] = { &singleReq, NULL };
-	SecAsn1OCSPTbsRequest &tbs = signedReq.tbsRequest;
-	memset(&signedReq, 0, sizeof(signedReq));
-	uint8 version = 0;
-	CSSM_DATA vers = {1, &version};
-	tbs.version = &vers;
-	tbs.requestList = reqArray;
-
-	/* one extension - the nonce */
-	SecAsn1CoderRef coder;
-	SecAsn1CoderCreate(&coder);
-	uint8 nonceBytes[8] = {0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0};
-	CSSM_DATA nonceData = {8, nonceBytes};
-	OCSPNonce *nonce = new OCSPNonce(coder, false, nonceData);
-	NSS_CertExtension *extenArray[2] = {nonce->nssExt(), NULL};
-	tbs.requestExtensions = extenArray;
-	
-	/* Encode */
-	OSStatus ortn;
-	CSSM_DATA encoded = {0, NULL};
-	ortn = SecAsn1EncodeItem(coder, &signedReq, kSecAsn1OCSPSignedRequestTemplate,
-		&encoded);
-	if(ortn) {
-		printf("***Error encoding SecAsn1OCSPSignedRequest\n");
-	}
-	else {
-		*outFile = (unsigned char *)malloc(encoded.Length);
-		*outFileLen = encoded.Length;
-		memmove(*outFile, encoded.Data, encoded.Length);
-	}
-	SecAsn1CoderRelease(coder);
-	return (int)ortn;
-}
-
-static void dumpCertID(
-	SecAsn1OCSPCertID *certID,
-	int indent)
-{
-	doIndent(indent);
-	printf("algId            : ");
-	printDataAsHex(&certID->algId.algorithm);
-	
-	doIndent(indent);
-	printf("issuerNameHash   : ");
-	printDataAsHex(&certID->issuerNameHash);
-	
-	doIndent(indent);
-	printf("issuerPubKeyHash : ");
-	printDataAsHex(&certID->issuerPubKeyHash);
-	
-	doIndent(indent);
-	printf("serialNumber     : ");
-	printDataAsHex(&certID->serialNumber);
-}
-
-static void printCritical(
-	int indent,
-	OCSPExtension *ocspExt)
-{
-	doIndent(indent);
-	printf("Critical           : %s\n", ocspExt->critical() ? "true" : "false");
-}
-
-static void printOcspExt(
-	SecAsn1CoderRef coder,
-	NSS_CertExtension *nssExt, 
-	int indent)
-{
-	OCSPExtension *ocspExt = NULL;
-	try {
-		ocspExt = OCSPExtension::createFromNSS(coder, *nssExt);
-	}
-	catch(...) {
-		doIndent(indent);
-		printf("***Error thrown parsing extension\n");
-		return;
-	}
-	switch(ocspExt->tag()) {
-		case OET_Unknown: 
-			doIndent(indent);
-			printf("Extension type: Unknown\n");
-			printCritical(indent, ocspExt);
-			return;
-		case OET_Nonce: 
-		{
-			doIndent(indent);
-			printf("Extension type     : Nonce\n");
-			printCritical(indent, ocspExt);
-			doIndent(indent);
-			OCSPNonce *nonce = dynamic_cast<OCSPNonce *>(ocspExt);
-			if(nonce == NULL) {
-				printf("***dynamic_cast failure in OCSPNonce!\n");
-				return;
-			}
-			printf("nonce value        : ");
-			printDataAsHex(&nonce->nonce());
-			break;
-		}
-		case OET_CrlReference: 
-			doIndent(indent);
-			printf("Extension type     : CrlReference");
-			printCritical(indent, ocspExt);
-			/* TBD */
-			return;
-		case OET_AcceptResponse: 
-			doIndent(indent);
-			printf("Extension type     : AcceptResponse");
-			printCritical(indent, ocspExt);
-			/* TBD */
-			return;
-		case OET_ArchiveCutoff:
-			doIndent(indent);
-			printf("Extension type     : ArchiveCutoff");
-			printCritical(indent, ocspExt);
-			/* TBD */
-			return;
-		case OET_ServiceLocator:
-			doIndent(indent);
-			printf("Extension type     : ServiceLocator");
-			printCritical(indent, ocspExt);
-			/* TBD */
-			return;
-		default:
-			/* this code is out of sync with ocspExtensions.{h,cpp} */
-			doIndent(indent);
-			printf("Extension type     : unrecognized - code sync error");
-			printCritical(indent, ocspExt);
-			return;
-			
-	}
-}
-
-static int parseOcspReq(
-	CSSM_CL_HANDLE clHand, 
-	unsigned char *inFile, 
-	unsigned inFileLen,
-	bool verbose)
-{
-	SecAsn1CoderRef coder;
-	SecAsn1OCSPSignedRequest signedReq;
-	SecAsn1OCSPTbsRequest &tbs = signedReq.tbsRequest;
-	OSStatus ortn;
-	int indent;
-	unsigned numExts;
-	unsigned numReqs;
-	
-	SecAsn1CoderCreate(&coder);
-	memset(&signedReq, 0, sizeof(signedReq));
-	
-	ortn = SecAsn1Decode(coder, inFile, inFileLen, kSecAsn1OCSPSignedRequestTemplate,
-		&signedReq);
-	if(ortn) {
-		printf("***Error decoding SecAsn1OCSPSignedRequest\n");
-		goto errOut;
-	}
-	printf("SecAsn1OCSPSignedRequest:\n");
-	
-	printf("SecAsn1OCSPTbsRequest:\n");
-	indent = 2;
-	if(tbs.version) {
-		doIndent(indent);
-		printf("Version : ");
-		printDataAsHex(tbs.version);
-	}
-	if(tbs.requestorName) {
-		doIndent(indent);
-		printf("NSS_GeneralName found; print it later maybe\n");
-	}
-	numReqs = ocspdArraySize((const void **)tbs.requestList);
-	for(unsigned dex=0; dex<numReqs; dex++) {
-		SecAsn1OCSPRequest *req = tbs.requestList[dex];
-		doIndent(indent);
-		printf("Request List Entry %u\n", dex);
-		indent += 2;
-		doIndent(indent);
-		printf("CertID:\n");
-		indent += 2;
-		SecAsn1OCSPCertID *certID = &req->reqCert;
-		dumpCertID(certID, indent);
-		indent -= 2;
-		numExts = ocspdArraySize((const void **)req->extensions);
-		for(unsigned extDex=0; extDex<numExts; extDex++) {
-			doIndent(indent);
-			printf("singleExtension[%u]\n", extDex);
-			printOcspExt(coder, req->extensions[dex], indent + 2);
-		}
-		indent -= 2;
-	}
-
-	numExts = ocspdArraySize((const void **)tbs.requestExtensions);
-	for(unsigned extDex=0; extDex<numExts; extDex++) {
-		doIndent(indent);
-		printf("requestExtension[%u]\n", extDex);
-		printOcspExt(coder, tbs.requestExtensions[extDex], indent + 2);
-	}
-
-	indent -= 2;
-	
-	if(signedReq.signature) {
-		printf("SecAsn1OCSPSignature:\n");
-		indent += 2;
-		doIndent(indent);
-		printf("==unparsed for now ==\n");
-		/* ... */
-		indent -= 2;
-	}
-errOut:
-	SecAsn1CoderRelease(coder);
-	return ortn;
-}
-
-static int genOcspResp(
-	CSSM_CL_HANDLE clHand, 
-	SecAsn1OCSPCertStatusTag status,
-	CE_CrlReason reason,			// for CS_Revoked
-	const unsigned char *subjectCert,
-	unsigned subjectCertLen,
-	const unsigned char *issuerCert,
-	unsigned issuerCertLen,
-	SecIdentityRef signer,
-	unsigned char **outData,
-	unsigned *outDataLen)
-{
-	SecAsn1CoderRef coder;
-	SecAsn1CoderCreate(&coder);
-
-	CSSM_DATA subjectCertData = {subjectCertLen, (uint8 *)subjectCert};
-	CSSM_DATA issuerCertData = {issuerCertLen, (uint8 *)issuerCert};
-	uint8 nonceBytes[8] = {0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0};
-	CSSM_DATA nonceData = {8, nonceBytes};
-	CSSM_DATA tbs;
-	CSSM_DATA encoded = {0, NULL};
-	SecAsn1OCSPResponse topResponse;
-	SecAsn1OCSPResponseBytes responseBytes;
-	uint8 responseStatusByte;
-	CSSM_DATA resp = {0, NULL};
-	CSSM_DATA sig = {0, NULL};
-	
-	int irtn = genTbsResp(coder, clHand, status, reason, 
-		subjectCertData, issuerCertData,
-		0,			// thisUpdate
-		2600 * 24,	// next update
-		&nonceData,
-		tbs);
-	if(irtn) {
-		printf("***Error encoding tbsResp\n");
-		return irtn;
-	}
-	
-	/* 
-	 * That's the TBSResponseData. Sign it.
-	 */
-	OSStatus ortn;
-	SecAsn1OCSPBasicResponse basicResp;
-	memset(&basicResp, 0, sizeof(basicResp));
-	ortn = ocspSign(signer, tbs, CSSM_ALGID_SHA1WithRSA, sig);
-	if(ortn) {
-		printf("***Error signing basicResponse.\n");
-		goto errOut;
-	}
-	basicResp.algId.algorithm = CSSMOID_SHA1WithRSA;
-	basicResp.algId.parameters.Data = nullParam;
-	basicResp.algId.parameters.Length = sizeof(nullParam);
-	basicResp.tbsResponseData = tbs;
-	basicResp.sig = sig;
-	/* ASN1 encoder needs to know length in bits */
-	basicResp.sig.Length *= 8;
-	/* no certs for now */
-	/* encode SecAsn1OCSPBasicResponse */
-	
-	ortn = SecAsn1EncodeItem(coder, &basicResp, kSecAsn1OCSPBasicResponseTemplate,
-		&encoded);
-	if(ortn) {
-		printf("***Error encoding SecAsn1OCSPBasicResponse\n");
-	}
-	
-	/* put that into a SecAsn1OCSPResponse */
-	responseBytes.responseType = CSSMOID_PKIX_OCSP_BASIC;
-	responseBytes.response = encoded;
-	responseStatusByte = RS_Success;
-	topResponse.responseStatus.Data = &responseStatusByte;
-	topResponse.responseStatus.Length = 1;
-	topResponse.responseBytes = &responseBytes;
-	ortn = SecAsn1EncodeItem(coder, &topResponse, kSecAsn1OCSPResponseTemplate,
-		&resp);
-	if(ortn) {
-		printf("***Error encoding SecAsn1OCSPBasicResponse\n");
-		goto errOut;
-	}
-
-	/* TA DA */
-	*outData = (unsigned char *)malloc(resp.Length);
-	*outDataLen = resp.Length;
-	memmove(*outData, resp.Data, resp.Length);
-errOut:
-	SecAsn1CoderRelease(coder);
-	if(sig.Data) {
-		APP_FREE(sig.Data);
-	}
-	return ortn;
-}
-
-/* decode and parse tbsResponseData, sitting in SecAsn1OCSPBasicResponse as an 
- * ASN_ANY */
-static int 	parseResponseData(
-	SecAsn1CoderRef coder,
-	int indent, 
-	const CSSM_DATA &tbsResponseData)
-{
-	SecAsn1OCSPResponseData	respData;
-	SecAsn1OCSPResponderID responderID;
-	uint8 tag;
-	const SecAsn1Template *templ;
-	unsigned numExts;
-	
-	memset(&respData, 0, sizeof(respData));
-	OSStatus ortn = SecAsn1DecodeData(coder, &tbsResponseData,
-		kSecAsn1OCSPResponseDataTemplate, &respData);
-	if(ortn) {
-		printf("***Error decoding ResponseData\n");
-		return 1;
-	}
-	if(respData.version && respData.version->Data) {
-		doIndent(indent);
-		printf("version: %u\n", respData.version->Data[0]);
-	}
-	doIndent(indent);
-	printf("ResponderID:\n");
-	indent += 2;
-	memset(&responderID, 0, sizeof(responderID));
-	if(respData.responderID.Data == NULL) {
-		doIndent(indent);
-		printf("***Malformed(empty)***\n");
-		return 1;
-	}
-	
-	/* lame-o choice processing */
-	tag = respData.responderID.Data[0] & SEC_ASN1_TAGNUM_MASK;
-	switch(tag) {
-		case RIT_Name: 
-			templ = kSecAsn1OCSPResponderIDAsNameTemplate; 
-			break;
-		case RIT_Key: 
-			templ = kSecAsn1OCSPResponderIDAsKeyTemplate; 
-			break;
-		default:
-			doIndent(indent);
-			printf("**Unknown tag for ResponderID (%u)\n", tag);
-			return 1;
-	}
-	ortn = SecAsn1DecodeData(coder, &respData.responderID, templ, &responderID);
-	if(ortn) {
-		doIndent(indent);
-		printf("***Error decoding ResponderID\n");
-		return 1;
-	}
-	doIndent(indent);
-	switch(tag) {
-		case RIT_Name:
-			printf("byName:\n");
-			printName((NSS_Name &)responderID.byName, indent + 2);
-			break;
-		case RIT_Key:
-			printf("byKey : ");
-			printDataAsHex(&responderID.byKey);
-			break;
-	}
-	indent -= 2;		// end of ResponderID
-	
-	doIndent(indent);
-	printf("producedAt: ");
-	printString(&respData.producedAt);
-	unsigned numResps = ocspdArraySize((const void **)respData.responses);
-	doIndent(indent);
-	printf("Num responses: %u\n", numResps);
-	for(unsigned dex=0; dex<numResps; dex++) {
-		SecAsn1OCSPSingleResponse *resp = respData.responses[dex];
-		doIndent(indent);
-		printf("Response %u:\n", dex);
-		indent += 2;
-		doIndent(indent);
-		printf("CertID:\n");
-		dumpCertID(&resp->certID, indent + 2);
-		
-		doIndent(indent);
-		printf("certStatus: ");
-		/* lame-o choice processing */
-		tag = resp->certStatus.Data[0] & SEC_ASN1_TAGNUM_MASK;
-		switch(tag) {
-			case CS_Good:
-				printf("Good\n");
-				break;
-			case CS_Unknown:
-				printf("Unknown\n");
-				break;
-			default:
-				printf("**MALFORMED cert status tag (%u)\n", tag);
-				break;
-			case CS_Revoked:
-			{
-				printf("Revoked\n");
-				doIndent(indent);
-				SecAsn1OCSPCertStatus certStatus;
-				memset(&certStatus, 0, sizeof(certStatus));
-				ortn = SecAsn1DecodeData(coder, &resp->certStatus, 
-					kSecAsn1OCSPCertStatusRevokedTemplate, &certStatus);
-				if(ortn) {
-					doIndent(indent);
-					printf("***error parsing RevokedInfo\n");
-					break;
-				}
-				if(certStatus.revokedInfo == NULL) {
-					doIndent(indent);
-					printf("***GAK! Malformed (empty) revokedInfo\n");break;
-				}
-				printf("RevokedIndfo:\n");
-				indent += 2;
-				doIndent(indent);
-				printf("revocationTime: ");
-				printString(&certStatus.revokedInfo->revocationTime);
-				if(certStatus.revokedInfo->revocationReason) {
-					doIndent(indent);
-					printf("reason: %u\n", 
-						certStatus.revokedInfo->revocationReason->Data[0]);
-				}
-				indent -= 2;		// end of RevokedInfo
-				break;
-			}
-		}	/* switch cert status tag */
-		
-		doIndent(indent);
-		printf("thisUpdate: ");
-		printString(&resp->thisUpdate);
-		
-		if(resp->nextUpdate) {
-			doIndent(indent);
-			printf("nextUpdate: ");
-			printString(resp->nextUpdate);
-		}
-
-		numExts = ocspdArraySize((const void **)resp->singleExtensions);
-		for(unsigned extDex=0; extDex<numExts; extDex++) {
-			doIndent(indent);
-			printf("singleExtensions[%u]\n", extDex);
-			printOcspExt(coder, resp->singleExtensions[extDex], indent + 2);
-		}
-		
-		indent -= 2;		// end of resp[dex]
-	}
-	
-	numExts = ocspdArraySize((const void **)respData.responseExtensions);
-	for(unsigned extDex=0; extDex<numExts; extDex++) {
-		doIndent(indent);
-		printf("responseExtensions[%u]\n", extDex);
-		printOcspExt(coder, respData.responseExtensions[extDex], indent + 2);
-	}
-	return 0;
-}
-
-static int parseOcspResp(
-	CSSM_CL_HANDLE clHand, 
-	unsigned char *inFile, 
-	unsigned inFileLen,
-	bool verbose)
-{
-	SecAsn1OCSPResponse topResp;
-	SecAsn1CoderRef coder;
-	OSStatus ortn;
-	int indent = 0;
-	const char *str;
-	SecAsn1OCSPBasicResponse basicResp;
-	unsigned numCerts = 0;
-	
-	SecAsn1CoderCreate(&coder);	
-	memset(&topResp, 0, sizeof(topResp));
-	ortn = SecAsn1Decode(coder, inFile, inFileLen, kSecAsn1OCSPResponseTemplate,
-		&topResp);
-	if(ortn) {
-		printf("***Error decoding SecAsn1OCSPResponse\n");
-		goto errOut;
-	}
-	printf("OCSPResponse:\n");
-	indent += 2;
-	doIndent(indent);
-	printf("responseStatus: ");
-	if(topResp.responseStatus.Length == 0) {
-		printf("**MALFORMED**\n");
-	}
-	else {
-		switch(topResp.responseStatus.Data[0]) {
-			case RS_Success: str = "RS_Success"; break;
-			case RS_MalformedRequest: str = "RS_MalformedRequest"; break;
-			case RS_InternalError: str = "RS_InternalError"; break;
-			case RS_TryLater: str = "RS_TryLater"; break;
-			case RS_Unused: str = "RS_Unused"; break;
-			case RS_SigRequired: str = "RS_SigRequired"; break;
-			case RS_Unauthorized: str = "RS_Unauthorized"; break;
-			default: str = "MALFORMED (unknown enum)\n"; break;
-		}
-		printf("%s (%u(d))\n", str, topResp.responseStatus.Data[0]);
-	}
-	doIndent(indent);
-	printf("ResponseBytes: ");
-	if(topResp.responseBytes == NULL) {
-		printf("empty\n");
-		goto errOut;
-	}
-	printf("\n");
-	indent += 2;
-	doIndent(indent);
-	printf("responseType: ");
-	if(appCompareCssmData(&topResp.responseBytes->responseType,
-			&CSSMOID_PKIX_OCSP_BASIC)) {
-		str = "ocsp-basic";
-	}
-	else {
-		str = "Unknown type\n";
-	}
-	printf("%s\n", str);
-		
-	/* decode the BasicOCSPResponse */
-	memset(&basicResp, 0, sizeof(basicResp));
-	ortn = SecAsn1DecodeData(coder, &topResp.responseBytes->response,
-		kSecAsn1OCSPBasicResponseTemplate, &basicResp);
-	if(ortn) {
-		printf("***Error decoding BasicOCSPResponse\n");
-		goto errOut;
-	}
-	
-	doIndent(indent);
-	printf("BasicOCSPResponse:\n");
-	indent += 2;
-	doIndent(indent);
-	printf("ResponseData:\n");
-	parseResponseData(coder, indent + 2, basicResp.tbsResponseData);
-	doIndent(indent);
-	printf("sig: ");
-	printDataAsHex(&basicResp.sig, 8);
-	numCerts = ocspdArraySize((const void **)basicResp.certs);
-	doIndent(indent);
-	printf("Num Certs: %u\n", numCerts);
-	
-	if(verbose) {
-		for(unsigned dex=0; dex<numCerts; dex++) {
-			printf("+++++++++++++++++++++++++ Cert %u +++++++++++++++++++++++++\n", dex);
-			printCert(basicResp.certs[dex]->Data, basicResp.certs[dex]->Length, 
-				CSSM_FALSE);
-			printf("+++++++++++++++++++++++ End Cert %u +++++++++++++++++++++++\n", dex);
-		}
-	}
-	indent -= 2;		// end of BasicOCSPResponse
-	indent -= 2;		// end of ResponseBytes
-	indent -= 2;		// end of OCSPResponse
-errOut:
-	SecAsn1CoderRelease(coder);
-	return ortn;
-}
-
-static int postOcspReq(
-	CSSM_CL_HANDLE clHand,
-	const unsigned char *certFile, 
-	unsigned certFileLen, 
-	const unsigned char *issuerCertFile, 
-	unsigned issuerCertFileLen, 
-	const char *responderURI,
-	bool doParse,
-	bool verbose,
-	unsigned char **outFile,		// RETURNED 
-	unsigned *outFileLen)			// RETURNED
-{
-	auto_ptr<CertParser> subject;
-	auto_ptr<CertParser> issuer;
-	CSSM_DATA uriData = {0, NULL};
-	CSSM_DATA *url = NULL;
-	
-	try {
-		CSSM_DATA cdata = {certFileLen, (uint8 *)certFile};
-		subject.reset(new CertParser(clHand, cdata));
-	}
-	catch(...) {
-		printf("***Error parsing subject cert. Aborting.\n");
-		return -1;
-	}
-	try {
-		CSSM_DATA cdata = {issuerCertFileLen, (uint8 *)issuerCertFile};
-		issuer.reset(new CertParser(clHand, cdata));
-	}
-	catch(...) {
-		printf("***Error parsing issuer cert. Aborting.\n");
-		return -1;
-	}
-	
-	SecAsn1CoderRef coder;
-	SecAsn1CoderCreate(&coder);
-	/* subsequent errors to errOut: */
-	int ourRtn = 0;
-	const CSSM_DATA *derReq = NULL;
-	auto_ptr<OCSPRequest> ocspReq;
-	
-	if(responderURI != NULL) {
-		uriData.Data = (uint8 *)responderURI;
-		uriData.Length = strlen(responderURI);
-		url = &uriData;
-	}
-	else {
-		/* get OCSP URL from subject cert */
-		url = ocspUrlFromCert(*subject, coder);
-		if(url == NULL) {
-			printf("Sorry, no can do.\n");
-			ourRtn = -1;
-			goto errOut;
-		}
-	}
-	
-	/* create DER-encoded OCSP request for subject */
-	try {
-		ocspReq.reset(new OCSPRequest(*subject, *issuer, false));
-		derReq = ocspReq->encode();
-	}
-	catch(...) {
-		printf("***Error creating OCSP request. Aborting.\n");
-		ourRtn = -1;
-		goto errOut;
-	}
-	
-	/* do it */
-	CSSM_DATA ocspResp;
-	CSSM_RETURN crtn;
-	crtn = ocspdHttpPost(coder, *url, *derReq, ocspResp);
-	if(crtn) {
-		printf("***Error fetching OCSP response***\n");
-		cssmPerror("ocspdHttpPost", crtn);
-		ourRtn = -1;
-		goto errOut;
-	}
-	*outFile = ocspResp.Data;
-	*outFileLen = ocspResp.Length;
-	if(doParse) {
-		parseOcspResp(clHand, ocspResp.Data, ocspResp.Length, verbose);
-	}
-	/* copy out */
-	*outFile = (unsigned char *)malloc(ocspResp.Length);
-	*outFileLen = ocspResp.Length;
-	memmove(*outFile, ocspResp.Data, ocspResp.Length);
-
-errOut:
-	SecAsn1CoderRelease(coder);
-	return ourRtn;
-}
-
-typedef enum {
-	op_genReq,
-	op_parseReq,
-	op_genReply,
-	op_parseResp,
-	op_post
-} ocspOp;
-
-int main(int argc, char **argv)
-{
-	if(argc < 2) {
-		usage(argv);
-	}
-	ocspOp op;
-	switch(argv[1][0]) {
-		case 'g': op = op_genReq; break;
-		case 'G': op = op_parseReq; break;
-		case 'r': op = op_genReply; break;
-		case 'R': op = op_parseResp; break;
-		case 'p': op = op_post; break;
-		default: usage(argv);
-	}
-	
-	/* user defined vars */
-	char *inFile = NULL;
-	char *outFile = NULL;
-	char *inCertName = NULL;
-	char *issuerCertName = NULL;
-	SecAsn1OCSPCertStatusTag certStatus = CS_Good;
-	CE_CrlReason crlReason = CE_CR_Unspecified;
-	char *kcName = NULL;
-	bool verbose = false;
-	bool doParse = false;
-	const char *responderURI = NULL;
-	
-    extern int optind;
-	optind = 2;
-    extern char *optarg;
-	int arg;
-    while ((arg = getopt(argc, argv, "c:C:i:o:s:r:k:phvu:")) != -1) {
-		switch (arg) {
-			case 'c':
-				inCertName = optarg;
-				break;
-			case 'C':
-				issuerCertName = optarg;
-				break;
-			case 'i':
-				inFile = optarg;
-				break;
-			case 'o':
-				outFile = optarg;
-				break;
-			case 's':
-				switch(optarg[0]) {
-					case 'g':
-						certStatus = CS_Good;
-						break;
-					case 'r':
-						certStatus = CS_Revoked;
-						break;
-					case 'u':
-						certStatus = CS_Unknown;
-						break;
-					default:
-						printf("***Unrecognized certStatus***\n");
-						usage(argv);
-				}
-				break;
-			case 'r':
-				crlReason = atoi(optarg);
-				break;
-			case 'k':
-				kcName = optarg;
-				break;
-			case 'v':
-				verbose = 1;
-				break;
-			case 'p':
-				doParse = true;
-				break;
-			case 'u':
-				responderURI = optarg;
-				break;
-			default:
-			case '?':
-				usage(argv);
-		}
-	}
-	if(optind != argc) {
-		/* this happens if you give getopt() an arg which doesn't start with '-' */
-		usage(argv);
-	}
-	
-	unsigned char *certData = NULL;
-	unsigned certDataLen = 0;
-	unsigned char *issuerCertData = NULL;
-	unsigned issuerCertDataLen = 0;
-	unsigned char *inData = NULL;
-	unsigned inDataLen = 0;
-	unsigned char *outData = NULL;
-	unsigned outDataLen = 0;
-	SecKeychainRef kcRef = NULL;
-	OSStatus ortn;
-	
-	if(inCertName) {
-		if(readFile(inCertName, &certData, &certDataLen)) {
-			printf("***Error reading cert file %s. Aborting.\n", inCertName);
-			exit(1);
-		}
-	}
-	if(issuerCertName) {
-		if(readFile(issuerCertName, &issuerCertData, &issuerCertDataLen)) {
-			printf("***Error reading cert file %s. Aborting.\n", issuerCertName);
-			exit(1);
-		}
-	}
-	if(inFile) {
-		if(readFile(inFile, &inData, &inDataLen)) {
-			printf("***Error reading input file %s. Aborting.\n", inFile);
-			exit(1);
-		}
-	}
-	if(kcName) {
-		ortn = SecKeychainOpen(kcName, &kcRef);
-		if(ortn) {
-			cssmPerror("SecKeychainOpen", ortn);
-			return ortn;
-		}
-	}
-	CSSM_CL_HANDLE clHand = cuClStartup();
-	
-	switch(op) {
-		case op_genReq:
-			ortn = genOcspReq(clHand, certData, certDataLen, 
-				issuerCertData, issuerCertDataLen,
-				&outData, &outDataLen);
-			break;
-		case op_parseReq:
-			ortn = parseOcspReq(clHand, inData, inDataLen, verbose);
-			break;
-		case op_genReply:
-		{
-			SecIdentityRef idRef = NULL;
-			ortn = sslSimpleIdentPicker(kcRef, &idRef);
-			if(ortn) {
-				printf("***Error choosing identity. Aborting.\n");
-				exit(1);
-			}
-			ortn = genOcspResp(clHand, certStatus, crlReason,
-				certData, certDataLen, issuerCertData, issuerCertDataLen,
-				idRef, &outData, &outDataLen);
-			CFRelease(idRef);
-			break;
-		}
-		case op_parseResp:
-			ortn = parseOcspResp(clHand, inData, inDataLen, verbose);
-			break;
-		case op_post:
-			ortn = postOcspReq(clHand, certData, certDataLen, 
-				issuerCertData, issuerCertDataLen, responderURI,
-				doParse, verbose,
-				&outData, &outDataLen);
-			break;
-		default:	
-			printf("Op %s is not yet implemented.\n", argv[1]);
-			exit(1);
-	}
-	
-	if(ortn == 0) {
-		if(outData != NULL) {
-			if(outFile== NULL) {
-				printf("...generated %u bytes but no place to write it.\n", outDataLen);
-			}
-			else {
-				ortn = writeFile(outFile, outData, outDataLen);
-				if(ortn) {
-					printf("***Error writing output to %s.\n", outFile);
-				}
-				else {
-					printf("...wrote %u bytes to %s\n", outDataLen, outFile);
-				}
-			}
-		}
-	}
-	return ortn;
-}